Authorization (OAuth 2.0) failure due to mismatch server name (SSL Cert)

I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].

I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’

It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?

  • 0
  • 0
  • 631
  • 3
  • 1

Answers

Ricardo, we had direct communication about this issue. AFAIK, the last message from you was that you're all set. Can you please post an answer with description of what steps you took to fix the issue?

Or am I wrong? Thank you.


Dan Kutac

Comments

Can you post code sample?

Going by the error message, have you tried providing googleapis.com  certificate?

Stepping back a bit:

What endpoint are you using? From Terminal, I see different certificates for googleapis.com and www.googleapis.com:

USER>set old = $io set dev = "|TCP|443" open dev:("googleapis.com":443:/TLS="Demo") use dev w 123,! use dev s cer = $System.Security.Users.SSLGetPeerCertificate() use old w $System.Encryption.X509GetField(cer,"Subject"),!,$System.Encryption.X509GetField(cer,"Extension:subjectAltName")
CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
DNS:www.google.com

USER>close dev set old = $io set dev = "|TCP|443" open dev:("www.googleapis.com":443:/TLS="Demo") use dev w 123,! use dev s cer = $System.Security.Users.SSLGetPeerCertificate() use old w $System.Encryption.X509GetField(cer,"Subject"),!,$System.Encryption.X509GetField(cer,"Extension:subjectAltName")
CN=*.googleapis.com,O=Google Inc,L=Mountain View,ST=California,C=US
DNS:*.googleapis.com, DNS:*.clients6.google.com, DNS:*.cloudendpointsapis.com, DNS:cloudendpointsapis.com, DNS:googleapis.com

However, in my browser, if I navigate to https://googleapis.com, I see the googleapis.com certificate (and a 404 error). This difference in behavior might have something to do with Caché's lack of support for Server Name Indication (SNI).

Regardless, what happens if you change the endpoint to www.googleapis.com rather than googleapis.com?

Thank you all for your inputs. This issue was solved a few weeks ago. Solved it considering www.googleapis.com instead of googleapis.com.